Being passionate about #Cybersecurity!

“Why are you so passionate about raising Cybersecurity awareness?” is a question I have been asked many times in the past years. Even while discussing a project proposal for something entirely different last week, the potential customer asked me this question. In most cases I decide to give a provocative question as reply just for the sake of trying to initiate a discussion. “Why aren’t you?”. On a good day, someone will reply that this is a good question and the discussion kicks in. On a bad day, someone will reply that the IT-Department is responsible for that…

In short, I have 3 reasons to be very passionate about Cybersecurity, awareness and education and these are not in order of priority:

In the past decades, I myself became the victim of various cybercrimes.

The false sense of security and lack of taking responsibility, users and suppliers alike, is a matter of mindset, not technology.

Kids should be able to use internet safe and should neither make the mistakes I made, nor should they suffer under not understanding.

Hi, I am Johannes and I am a Cybercrime victim

That’s my opening sentence for the workshops Cybersecurity for Road Warriors and Couch Potatoes. More than once, I was the victim of Cybercrime, fraud and identity theft. It wasn’t always a big thing and in most cases these issues could be solved quickly or at least before they escalated. In some case however, the damages were severe. And what makes it even worse, is that in most cases these issues could have been prevented. By myself? Unfortunately not and yet I still feel responsible.

I am fully aware that I should have all the knowledge to prevent such issues from happening and I continue to educate myself. And still I was not able to prevent for example that confidential data was stolen from my company notebook, lots of it as we found out later. This notebook was provided by the company I worked for as a contractor and was fully under control of the corporate IT-Department. So basically, I was just an average user and none of my IT and security skills could be applied. The notebook was equipped with professional anti-virus and anti-malware tools, security profiles, secured connections, regular scans, encryption and a lot of restrictions which in most cases seemed to make sense. Safe, right? Unfortunately not!

One night, burning the midnight oil again on a report, I noted a strange lockout from my system when activating it from standby. I just had a quick snack and wanted to continue working but much to my surprise I wasn’t able to log in. There was another user logged on to this notebook and I needed administrator credentials which I didn’t have. Strange, because there should not be anyone else logged on. So I called the IT-helpdesk to check if they were doing some remote maintenance. Working for a global company meant that the IT-Helpdesk was available almost 24/7 and while looking up the number, I considered that this might also mean that they did maintenance on systems during their day and my night time. My first thought was to just ask how long it would take because I needed to finish this report and still wanted to get a few hours of sleep. I was surprised to hear that there was no maintenance ongoing on my system and the statement “Are you sure your system is switched on, I don’t see it online” confused me even more. A few more checks later, including “your system is not responding to remote connection requests”, the advice was to just reboot it which I did. Yes, I could log on again but I wasn’t satisfied with the refusal to find out what caused this to happen.

What followed was almost 3 weeks of their “the problem is solved” versus my “the symptom is gone but you haven’t investigated the problem”. I finally started to get some attention for this issue by showing the alerts from my own router at home which had prevented my company notebook from contacting a series of obscure and unknown servers during the weekend. At night while it was in standby! Now it suddenly unfolded in my mind. That night, when I wasn’t able to log on to my system. Last night when my system had tried to “call home”. The night before the same. And all roughly at the same time. This couldn’t be just coincidence!

The IT-Department still couldn’t find anything wrong with this computer and the ticket was simply closed again. This time I didn’t let them get away with it that easily. After being turned down again and again, I decided to inform Internal Auditing so now it was officially a potential security issue. When the IT-Department finally had an external security expert take a look at my notebook, the findings where overwhelming. By coincidence, I had caught an advanced hacking attack in progress by opening the lid of my notebook to bring it out of standby, not knowing at that moment that it was already under the control of a hacker. The refusal of the IT-Department to act on my call, allowed the hackers to continue their malicious attack and collect whatever data was available.

The findings of the expert described exploiting a vulnerability of the operating systems in combination with enabled remote support and Wake on LAN (WoL), which allowed the hacker to bring the system out of standby in remote maintenance mode, create a local account with administrator credentials which then inserted an exception for the malicious tools in the virus-scanner configuration, installed the malicious tools and modified the local firewall settings, and scheduled a nightly transfer of data every time the system was in standby during the night. And the system was in standby almost every night, because closing the lid of a notebook and continuing where I left off on the next day was saving me a lot of time. Don’t we all do that a lot? I did until then but not anymore. If there is anything I have learned from this experience, it is to switch everything off that I am not actively using at the moment.

The smacking for lack of security by the expert wasn’t finished by confirming that my company provided notebook had been hacked and placed under control of one or more hackers. Further investigation showed that 12 more notebooks from the same company had been hacked over the past few months, and all instances of the hacks took place while the users of those systems were in the same hotel during that period. That hotel was the standard hotel for everyone who was visiting the nearby plant. Analyzing the transferred data and the fact that multiple systems from the same company had all been attacked from the same place, gave the expert a clear and understandable indication that this was a designated cyberattack on this company. What made it even worse is that 2 more notebooks had been brought under the control of the cybercriminals after my system had been hacked. So even when all precautions failed, these hacks could and should have been prevented by timely and consistent action!

After the conclusion of the findings it only got worse and really embarrassing for the IT-Department and to be honest, for the entire company, its leadership team and the board. The vulnerability of the operating system was already patched in a critical update the year before the hack but this critical update was still not distributed by the IT-Department. It was still in “testing”, citing some isolated incident from many years ago where a patch had caused issues with domain controllers as reason why distribution of patches and even critical patches was delayed. Not a few days. No, distribution was in same cases delayed for many months. The recommended configuration for the distributed anti-virus software was overwritten by the IT-Department “because we had this one problem once and we had to allow the local administrator profile to change the local configuration”, basically disabling the entire centralized security profile management. Auditing of the operating system was disabled “because we never look at it anyway” so the build in ability to automatically detect that a local administrator profile was created had been disabled. Yes, even the modification of the local firewall would have generated an alert but who needs automated monitoring of critical security settings when you don’t look at it anyway…

There was even a fancy (and expensive!) tool which monitored the security and intrusion of the infrastructure. Too bad that the really critical data points were switched off. The attack had been so customized on the failing IT security policy and lack of active monitoring by the company, that the expert even concluded that this might as well be the result of insider involvement in the attack. After failed attempts to wipe this entire incident under the rug, the Senior Leadership and Board was finally informed about this hack in a report that still attempted to downplay the impact of it all. Both CEO and Board took it very serious and besides several personnel changes in the IT-Organization, the company was forced to spend an unbudgeted 7-figure sum for fixing their infrastructure and security. And I was again the victim of Cybercrime, even if the costs didn’t come out of my own pocket this time. What still makes me angry after all these years is that it could have been prevented without much effort!

Dangerous false sense of security and lack of responsibility

That incident triggered anger in me because on the one hand I was a victim of Cybercrime because a bunch of people had decided to use a chain of excuses instead of taking their job seriously, and on the other hand there was nothing I could have done to prevent it despite being an IT-expert myself. It was embarrassing, I felt embarrassed and abused. Once my anger cooled off a bit, my curiosity kicked in again so I started to do research. Was this an isolated incident or did such things happen more often? How can it be that international corporations like this one, have huge IT budgets, internal and external auditing and still are able to screw up the basics of implementing proper Cybersecurity? Doesn’t anyone else notice this or am I really the only one getting really upset about this?

It wasn’t easy to find companies willing to discuss this because most companies that are exposed to cybercrime still prefer to hide it out of fear of negative impact on the market and stock evaluation. But I did find some employees (and former employees) of companies that have had serious security breaches in the past and much to my surprise, they all had a similar story to tell. Yes, they all had a centralized IT-Departments. Yes, they all had virus scanners. Yes, they all had backups and redundant systems. Yes, they all had all kinds of restrictions implemented. Yes, they all thought that there was an adequate security policy. Until it went wrong, very wrong.

Companies with a false sense of security that had to invest huge amounts of money to solve the consequences of cybercrime are much more common than I ever thought could be possible. Companies that lost significant revenues because they were not able to recover from lost data and disrupted services, despite having the latest-greatest in backup systems. Companies with high-tech redundant systems, even with auto failover and recovery in place, not being aware that this meant nothing other than that the undetected problem was simply replicated throughout their systems. Companies that invest in technology but never invest in penetration testing to determine their weaknesses. Companies that had fancy overviews and presentations on how it should work, only to find out that the hackers don’t follow the logic of their defenses and found other ways to get in and do their malicious work.

National Cyber Security Awareness Month was established to strengthen the weakest point of any security solution: humans. No matter how effective—or expensive—the security tools protecting your network are, there’s no way to predict the damage caused by a single careless user. The war against cyber criminals is fought each time a user decides to click an unfamiliar link or open an attachment—and just a single mistake could be the reason for massive data loss. Kara Drapala on Cisco Umbrella

Besides poorly implemented and executed security policies, in many cases the users play a key role in exposing infrastructure to cybercrime. Either by falling for smart phishing attacks, or by finding ways to outsmart some restrictions, or even by simply doing what the company told them was completely safe but in reality isn’t. And in most cases it is a very dangerous combination of not understanding the risks and a false understanding that the IT-Department is responsible for Cybersecurity. Both of that is so very wrong in so many ways that this is the core message of the workshops Cybersecurity for Road Warriors and Couch Potatoes!

If not for yourself, do it for the kids!

Kids are very much enjoying internet in their own way. Some are already cautious about what they do and aware of what not to do. Most of them go however after everything that might be of interest or give them for example some benefit in their favorite game of the moment. You might have guessed it, the later can get themselves and their systems exposed to a lot of trouble. Because they actually believe that this “when you install this you will get super powers in your game” is true, not knowing that in reality they will hook up their system to for example a proxy that is tracking everything they do. Or the “this will make you PC much faster” that actually installs a root kit on their system. No matter what technical precautions are implemented, they will always find ways around them and the bad guys even give them step-by-step instructions to do so.

So every kid is a potential cybercrime victim. It is up to us to make the internet safe for our own kids and the kids of others. Using computers and internet is common ground in schools. Kids have mobile phones and join all kinds of social media. These kids should be able to benefit from the advantages of the digital community in the same manner as they should be able to join a sports club or pursue other hobbies and develop themselves. Throughout all this, we want the kids to be protected, to learn from their mistakes without being harmed, and to develop themselves into smart independent individuals.

To protect them from the hordes of cyber criminals out there, it takes much more than installing anti-virus software and a parental control tool. Education is key and must start early, before they even get exposed! And believe me, they will get exposed. So even if you shouldn’t care much for your own Cybersecurity, care for the Cybersecurity of the kids!